Security In System Design - Learning Module

Loading content...

0/273

Defense in Depth

The Medieval Wisdom of Modern Security

Medieval castle architects understood something that many modern system designers forget: no single defense is impenetrable.

A castle wasn't just a high wall—it was a system of layered defenses. Attackers who breached the outer wall faced a moat. Those who crossed the moat encountered the inner wall. Past the inner wall lay the keep. And within the keep, the treasury had its own locks and guards. Each layer bought time, increased cost for attackers, and provided opportunities for defenders to respond.

This same principle—defense in depth—is the cornerstone of modern security architecture. In a world where breaches are not a matter of if but when, we design systems where compromising one layer doesn't mean losing everything.

This page teaches you to think like a castle architect: building overlapping, redundant defenses so that attackers must succeed at every layer while defenders need only succeed at one.

What You Will Learn

By the end of this page, you will understand the defense in depth principle, recognize the layers where security controls should be applied, know how to design systems with multiple lines of defense, and appreciate how modern zero-trust architectures extend this classic concept.

Understanding Defense in Depth

Defense in depth (DiD) is a security strategy that deploys multiple layers of security controls throughout a system. The underlying assumption is that no single security measure is foolproof—each can fail, be bypassed, or contain undiscovered vulnerabilities.

The mathematical reality:

If a single security control has a 1% chance of being bypassed, you have a 1% breach probability. But if you layer three independent controls, each with 1% bypass probability:

Combined breach probability = 0.01 × 0.01 × 0.01 = 0.000001 (0.0001%)

Layering transforms fragile individual controls into robust combined protection. The attacker must bypass every layer; the defender only needs one to hold.

Independence Matters

The math only works if layers are independent. If one vulnerability bypasses multiple layers (e.g., the same credential granting access everywhere), you've lost the defense in depth benefit. Layers must be diverse—different technologies, different trust boundaries, different validation approaches.

The cheese model of security:

Security researcher James Reason proposed the 'Swiss cheese model' that illustrates defense in depth. Imagine each security layer as a slice of Swiss cheese—it provides protection, but has holes (vulnerabilities). A breach occurs only when the holes in every slice align, creating a path through all layers.

Attacker → [Firewall] → [Auth] → [Encryption] → [Validation] → [Audit] → Data
             🧀           🧀          🧀              🧀           🧀
           (holes)     (holes)     (holes)         (holes)      (holes)

Your job as an architect is to:

Add more slices (more layers of defense)
Minimize holes in each slice (strengthen individual controls)
Ensure holes don't align (use diverse, independent controls)

Even imperfect controls, when layered, create formidable defense.

Core Defense in Depth Principles

•Redundancy — No single control is the sole protection. If one fails, others remain.
•Diversity — Use different control types (technical, procedural, physical) to avoid common-mode failures.
•Least Privilege — Grant minimum necessary access at each layer. Breach of one layer shouldn't grant unlimited access.
•Defense in Breadth — Apply controls across all attack vectors, not just the most obvious ones.
•Assume Breach — Design with the expectation that outer layers will be compromised. Inner layers must still protect.

The Security Layers of a Modern System

A well-designed system implements security controls at multiple layers. Each layer has distinct responsibilities and should be designed to function even if adjacent layers fail.

The seven-layer security model:

While not a formal standard, this model provides a useful framework for thinking about where to place security controls in system architecture:

Security Layers and Their Controls
Layer	Description	Example Controls
Network Perimeter	First line of defense at network boundary	Firewalls, WAF, DDoS protection, ingress filtering
Network Internal	Protection within the network	Network segmentation, VLANs, private subnets, VPNs
Host/Container	Individual machine/container protection	OS hardening, patch management, container security, endpoint detection
Application	Application-level security logic	Input validation, output encoding, error handling, secure coding practices
Identity	Who can access what	Authentication, authorization, identity federation, access control lists
Data	Protection of data itself	Encryption at rest, encryption in transit, tokenization, masking
Monitoring	Detection and response capabilities	Logging, alerting, SIEM, incident response, forensics

Layer interaction example:

Consider an attacker attempting to steal customer data from a well-designed system:

Network Perimeter: The WAF blocks the SQL injection pattern in the HTTP request.
Even if WAF is bypassed: The application layer validates and parameterizes queries, preventing SQL injection.
Even if app validation fails: Database permissions restrict the compromised application to read-only access on non-sensitive tables.
Even if broader DB access is gained: Sensitive columns are encrypted; the application key isn't accessible.
Even if encryption is bypassed: The monitoring layer detects unusual data access patterns and triggers an alert.
Even if not caught immediately: Audit logs provide forensic trail for post-incident analysis.

Each layer provides independent protection. The attacker must defeat all of them; we only need one to hold.

Avoid Layer Dependency

A common mistake is implementing 'defense in depth' where later layers assume earlier layers succeeded. For example, skipping input validation in the application because 'the WAF will catch it.' True defense in depth means each layer validates independently, as if no other layer exists.

Network Layer Security: The First Line

Network-layer security controls form the outermost defense perimeter. While never sufficient alone, they filter massive amounts of noise and known attack patterns before they reach your application.

Key network security controls:

Network Security Components

•Firewalls — Filter traffic based on source/destination IP, ports, and protocols. Define what can reach your services. Cloud security groups and network ACLs serve this role.
•Web Application Firewalls (WAF) — Inspect HTTP traffic for application-layer attacks: SQL injection, XSS, path traversal. Deploy at the edge (CloudFront, Cloudflare) or application load balancer.
•DDoS Protection — Absorb volumetric attacks before they overwhelm your infrastructure. Services like AWS Shield, Cloudflare, or Akamai provide this at scale.
•Network Segmentation — Divide your network into zones: public-facing, internal, management, data. Strict controls govern traffic between zones.
•Private Networking — Keep internal services off the public internet entirely. Use private subnets, VPC peering, and private endpoints.
•Ingress/Egress Filtering — Control what traffic can enter and leave. Egress filtering can detect compromised systems 'phoning home.'

Network segmentation architecture:

A robust network architecture creates trust zones with controlled interfaces between them:

                              INTERNET
                                  │
                           ┌──────▼──────┐
                           │   WAF/CDN   │ ← Edge protection
                           └──────┬──────┘
                                  │
                    ┌─────────────▼─────────────┐
                    │      PUBLIC SUBNET        │
                    │  (Load Balancers, Bastion)│
                    └─────────────┬─────────────┘
                                  │ (Strict security group)
                    ┌─────────────▼─────────────┐
                    │     PRIVATE SUBNET        │
                    │   (Application Servers)   │
                    └─────────────┬─────────────┘
                                  │ (Even stricter rules)
                    ┌─────────────▼─────────────┐
                    │       DATA SUBNET         │
                    │ (Databases, Cache, Queue) │
                    └───────────────────────────┘

Each subnet boundary represents a control point. Even if application servers are compromised, they can only reach databases on specific ports with specific protocols. Lateral movement is constrained.

The Perimeter Is Not Enough

Traditional 'perimeter security' assumed the internal network was safe once you passed the firewall. This is dangerously obsolete. Modern zero-trust architectures assume attackers are already inside and verify every request regardless of network location.

Application Layer Security: Your Last Line of Defense

If network controls are your castle walls, application security is the guards inside. When attackers bypass network defenses (and they will), your application code is the final barrier protecting data and functionality.

Application security is mission-critical because:

Network controls can't understand application logic or business rules
Many attacks arrive as legitimate-looking HTTP requests that pass network inspection
Application bugs (logic flaws, injection vulnerabilities) can't be fixed by infrastructure

Key application security controls:

Application Layer Defenses

•Input Validation — Validate all input on the server side. Never trust client-side validation. Use allowlists over denylists. Reject unexpected input types or formats.
•Output Encoding — Encode data when rendering to prevent XSS. Context-aware encoding: HTML vs. JavaScript vs. URL encoding.
•Parameterized Queries — Never concatenate user input into queries. Use prepared statements or parameterized queries exclusively.
•Authentication Enforcement — Verify identity on every protected request. Don't rely on session state that could be manipulated.
•Authorization Checks — Verify permissions for every action. Check that the authenticated user is authorized for this specific resource/operation.
•Error Handling — Don't leak stack traces, database errors, or internal paths. Return generic errors to users; log details internally.
•Rate Limiting — Protect against brute force, credential stuffing, and resource exhaustion at the application layer.
•Security Headers — Set Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, and other protective headers.

The principle of fail-secure:

Application code must fail securely. When exceptions occur, errors happen, or edge cases arise, the default should be deny access, not grant access.

Anti-pattern (fail-open):

def check_admin(user):
    try:
        return user.role == 'admin'
    except:
        return True  # DANGEROUS: error = admin access

Secure pattern (fail-closed):

def check_admin(user):
    try:
        return user.role == 'admin'
    except:
        return False  # Safe: error = no access

Every error path, timeout, or exception should result in the most restrictive outcome, not the most permissive.

Security by Default

Configure frameworks and libraries for security by default. Enable CSRF protection, XSS filtering, and secure cookie flags globally. Make security the path of least resistance—developers should have to explicitly opt out of protection, not opt in.

Data Layer Security: Protecting What Matters Most

Ultimately, attackers want your data. Even if network and application layers are compromised, data-layer security ensures that captured data is useless to attackers.

The data protection mindset:

Assume that attackers will eventually reach your data. Design so that even then:

Encrypted data can't be read without keys
Stolen databases require decryption keys that are stored elsewhere
Sensitive fields are tokenized, rendering stolen tokens useless
Access patterns are logged and anomalies detected

Data Layer Security Controls

•Encryption at Rest — All persistent data (databases, files, backups) encrypted using strong algorithms (AES-256). Cloud providers offer transparent encryption; enable it everywhere.
•Encryption in Transit — All data movement uses TLS 1.2+ minimum. This includes internal service-to-service communication, not just external traffic.
•Key Management — Encryption is only as secure as key management. Use dedicated KMS (AWS KMS, GCP KMS, HashiCorp Vault). Separate key storage from data storage.
•Tokenization — Replace sensitive data (credit cards, SSNs) with tokens. The tokenization system maps tokens to real values and is heavily protected.
•Data Masking — In non-production environments and logs, mask sensitive data. Developers never see real customer data.
•Column-Level Encryption — For highest sensitivity data, encrypt individual columns with application-held keys. Even a database dump reveals nothing.
•Field-Level Access Control — Some fields visible to some roles only. Customer support sees masked SSN; compliance sees full value.

Data Protection Techniques by Sensitivity Level
Data Type	Sensitivity	Protection Approach
User preferences	Low	Encrypted at rest (volume/database-level)
Email addresses	Medium	Encrypted at rest, masked in logs, access audited
Passwords	High	Hashed with bcrypt/Argon2, never stored plaintext, never logged
Payment cards	Critical	Tokenized, PCI-compliant vault, field-level encryption
SSN/Government ID	Critical	Tokenized, column-level encryption, strict access controls
Health records	Critical	HIPAA-compliant storage, encryption, audit logging, data minimization

Key Separation Is Critical

If encryption keys are stored alongside encrypted data, encryption provides no protection against database theft. Keys must be stored in a separate system (KMS, Vault) with its own access controls. Compromising the database should not grant access to decryption keys.

Identity Layer Security: Authentication and Authorization

The identity layer answers two fundamental questions:

Authentication: Who are you? (Proving identity)
Authorization: What can you do? (Granting permissions)

These must be independent layers. A user might be authenticated (we know who they are) but not authorized (they're not allowed to perform this action). Both checks must occur on every protected operation.

Authentication as a defense layer:

Authentication Controls

•Strong Password Requirements — Minimum length (12+ characters), complexity, breach database checking (HaveIBeenPwned API).
•Multi-Factor Authentication (MFA) — Require something you know (password) plus something you have (TOTP, hardware key) or something you are (biometrics).
•Rate Limiting on Auth — Prevent brute force attacks. Lock accounts or increase delays after failed attempts. Use CAPTCHAs when suspicious.
•Session Management — Secure, HttpOnly, SameSite cookies. Appropriate expiration. Session invalidation on password change.
•Credential Storage — Passwords hashed with bcrypt, Argon2, or scrypt. High cost factors. Never reversible encryption.
•Credential Recovery — Secure reset flows. Time-limited tokens. Don't reveal whether email exists. Notify on password change.

Authorization as a defense layer:

Authentication proves identity; authorization enforces what that identity can do. These are distinct concerns:

GET /api/orders/12345

✓ Authentication: Token valid, user is alice@example.com
✓ Authorization:  Does alice own order 12345? Does alice have 'read:orders' permission?

Common authorization models:

Role-Based Access Control (RBAC): Users have roles; roles have permissions. Simple, widely used.
Attribute-Based Access Control (ABAC): Permissions based on attributes of user, resource, action, and environment. Flexible, complex.
Relationship-Based Access Control: Permissions based on relationships (owner, editor, viewer). Used by Google Zanzibar.

Regardless of model, the key is enforcement at every access point. Authorization isn't a one-time check at login—it's verified on every operation.

The Broken Authorization Epidemic

Broken access control was #1 on the OWASP Top 10 in 2021. It's the most common severe vulnerability. Developers check 'is user logged in' but forget 'is this user allowed to access THIS resource.' Every endpoint must verify both.

Monitoring Layer: Detection and Response

The monitoring layer acknowledges a reality: prevention eventually fails. When it does, you need to detect the breach quickly and respond effectively. The faster you detect, the smaller the damage.

Detection is a control:

Average time to identify a breach: 207 days
Average time to contain a breach: 70 days
(IBM Cost of a Data Breach Report 2023)

Companies with robust detection and response capabilities reduce breach costs by $1.76 million on average. Monitoring isn't just operational—it's a security control.

Monitoring Layer Components

•Security Logging — Log security-relevant events: authentication attempts, authorization failures, sensitive data access, admin actions, configuration changes.
•Log Aggregation — Centralize logs from all systems into a SIEM (Security Information and Event Management) for correlation and analysis.
•Alerting — Define rules that trigger alerts: multiple failed logins, access from unusual locations, privilege escalation attempts.
•Anomaly Detection — Use behavioral baselines to detect deviations: unusual query patterns, unexpected data volumes, new process execution.
•Intrusion Detection/Prevention (IDS/IPS) — Monitor network traffic for known attack patterns and anomalies.
•Incident Response — Documented procedures for responding to detected threats. Practiced through tabletop exercises and drills.
•Forensic Capability — Immutable log storage that can't be tampered with by attackers covering their tracks.

What to log for security:

Not all logs are security-relevant. Focus logging on events that help detect and investigate attacks:

Security-Relevant Events:
├── Authentication events (login, logout, failed attempts, MFA usage)
├── Authorization events (permission checks, especially failures)
├── Data access (who accessed what sensitive data, when)
├── Administrative actions (user creation, permission changes, config updates)
├── API activity (unusual patterns, high-volume requests, error rates)
└── System events (service starts, crashes, resource exhaustion)

Each log entry should include: timestamp (UTC), user/session identifier, source IP, action performed, resource accessed, and result (success/failure). Structured logging (JSON) enables efficient querying.

Assume You're Already Breached

Design monitoring with the assumption that an attacker is already in your system. What would you want to see to detect them? What evidence would you need to understand what they accessed? Build that visibility proactively.

Implementing Defense in Depth

Defense in depth sounds straightforward in principle, but implementation requires systematic thinking. Here's a practical approach to designing layered defenses:

Step 1: Identify assets

What are you protecting? Data, functionality, availability, reputation? Rank assets by criticality—this guides where to invest most heavily.

Step 2: Map attack paths

How might an attacker reach each asset? What layers must they cross? For each path, identify the controls at each layer.

Step 3: Ensure layer independence

Verify that each layer provides protection independently. A compromised web server shouldn't automatically grant database access. Credentials shouldn't be shared across tiers.

Defense in Depth Audit Checklist
Layer	Control Exists?	Independent?	Monitored?
Network Perimeter	Firewall + WAF configured	Doesn't rely on app validation	Traffic anomaly alerts
Network Internal	Segmentation in place	Services isolated per function	Internal traffic logging
Host/Container	Hardened images, patched	Least privilege OS users	Endpoint detection (EDR)
Application	Input validation, auth/authz	Doesn't trust network controls	Application security logs
Identity	MFA, strong sessions	Separate from app logic	Auth attempt monitoring
Data	Encryption, key separation	Keys not accessible via app breach	Data access auditing
Monitoring	SIEM, alerting	Log server protected separately	Alert on log tampering

Step 4: Test layer failures

Deliberately disable one control and verify others still protect. What if WAF rules are bypassed? Does application validation catch attacks? What if a developer account is compromised? Does least privilege limit damage?

Step 5: Continuous improvement

Defense in depth isn't a one-time exercise. New attack techniques emerge, new vulnerabilities are discovered, and your system evolves. Regular security reviews, penetration testing, and chaos engineering validate that layers remain effective.

The Red Team Mindset

Think like an attacker when auditing your layers. If you were trying to breach this system, which layer would you target? Where would you look for weaknesses? This adversarial mindset reveals gaps that defensive thinking misses.

Summary: Defense in Depth

We've explored the foundational strategy of layered security. Let's consolidate the key takeaways:

Key Takeaways

•No single defense is sufficient — Every control can be bypassed. Layer multiple controls so failure of one doesn't compromise everything.
•Layers must be independent — If one credential, flaw, or bypass defeats multiple layers, you've lost defense in depth.
•Apply controls at every layer — Network, host, application, identity, data, and monitoring all provide unique protection.
•Assume breach — Design inner layers as if outer layers have failed. This drives truly defense-in-depth thinking.
•Monitor for detection — Prevention eventually fails. Detection capability limits damage when it does.
•Test layer failures — Deliberately disable controls to verify other layers compensate.
•Continuous improvement — Defense in depth is ongoing, not one-time. Regularly audit and strengthen.

What's next:

Now that we understand how to layer defenses, we need a systematic way to identify what we're defending against. The next page introduces Threat Modeling—the practice of systematically identifying threats, vulnerabilities, and mitigations before writing code.

Page Complete

You now understand defense in depth—the strategy of layering multiple independent security controls throughout your system. This ensures that no single point of failure compromises your entire security posture. Next, we'll learn how to systematically identify what threats to defend against.